flight 21076 xen-4.2-testing real [real] http://www.chiark.greenend.org.uk/~xensrcts/logs/21076/ Regressions :-( Tests which did not succeed and are blocking, including tests which could not be run: test-i386-i386-xl-qemuu-winxpsp3 7 windows-install fail REGR. vs. 20806 test-i386-i386-xl-qemut-winxpsp3 7 windows-install fail REGR. vs. 20806 test-i386-i386-xl-winxpsp3 10 guest-saverestore.2 fail in 21071 REGR. vs. 20806 Tests which are failing intermittently (not blocking): test-amd64-amd64-xl-sedf 14 guest-localmigrate/x10 fail pass in 21071 test-i386-i386-xl-winxpsp3 7 windows-install fail pass in 21071 test-amd64-i386-xl-credit2 14 guest-localmigrate/x10 fail in 21071 pass in 21076 Tests which did not succeed, but are not blocking: test-amd64-amd64-xl-pcipt-intel 9 guest-start fail never pass test-amd64-i386-xl-winxpsp3-vcpus1 13 guest-stop fail never pass test-amd64-i386-xl-qemut-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-qemut-win7-amd64 13 guest-stop fail never pass test-amd64-amd64-xl-qemuu-win7-amd64 13 guest-stop fail never pass test-amd64-i386-xend-winxpsp3 16 leak-check/check fail never pass test-amd64-amd64-xl-winxpsp3 13 guest-stop fail never pass test-amd64-amd64-xl-qemut-winxpsp3 13 guest-stop fail never pass test-amd64-i386-xl-qemut-winxpsp3-vcpus1 13 guest-stop fail never pass test-amd64-i386-xend-qemut-winxpsp3 16 leak-check/check fail never pass test-amd64-amd64-xl-qemuu-winxpsp3 13 guest-stop fail never pass test-amd64-i386-xl-win7-amd64 13 guest-stop fail never pass version targeted for testing: xen a489633284ce1e7d6e48011f198e71351213ecb2 baseline version: xen eba971d94289d91e4a3959d2c083a59deb100568 ------------------------------------------------------------ People who touched revisions under test: Andrew Cooper <andrew.cooper3@citrix.com> Daniel De Graaf <dgdegra@tycho.nsa.gov> Jan Beulich <jbeulich@suse.com> Keir Fraser <keir@xen.org> ------------------------------------------------------------ jobs: build-amd64 pass build-i386 pass build-amd64-oldkern pass build-i386-oldkern pass build-amd64-pvops pass build-i386-pvops pass test-amd64-amd64-xl pass test-amd64-i386-xl pass test-i386-i386-xl pass test-amd64-i386-rhel6hvm-amd pass test-amd64-i386-qemut-rhel6hvm-amd pass test-amd64-i386-qemuu-rhel6hvm-amd pass test-amd64-amd64-xl-qemut-win7-amd64 fail test-amd64-i386-xl-qemut-win7-amd64 fail test-amd64-amd64-xl-qemuu-win7-amd64 fail test-amd64-amd64-xl-win7-amd64 fail test-amd64-i386-xl-win7-amd64 fail test-amd64-i386-xl-credit2 pass test-amd64-amd64-xl-pcipt-intel fail test-amd64-i386-rhel6hvm-intel pass test-amd64-i386-qemut-rhel6hvm-intel pass test-amd64-i386-qemuu-rhel6hvm-intel pass test-amd64-i386-xl-multivcpu pass test-amd64-amd64-pair pass test-amd64-i386-pair pass test-i386-i386-pair pass test-amd64-amd64-xl-sedf-pin pass test-amd64-amd64-pv pass test-amd64-i386-pv pass test-i386-i386-pv pass test-amd64-amd64-xl-sedf fail test-amd64-i386-xl-qemut-winxpsp3-vcpus1 fail test-amd64-i386-xl-winxpsp3-vcpus1 fail test-amd64-i386-xend-qemut-winxpsp3 fail test-amd64-amd64-xl-qemut-winxpsp3 fail test-i386-i386-xl-qemut-winxpsp3 fail test-amd64-amd64-xl-qemuu-winxpsp3 fail test-i386-i386-xl-qemuu-winxpsp3 fail test-amd64-i386-xend-winxpsp3 fail test-amd64-amd64-xl-winxpsp3 fail test-i386-i386-xl-winxpsp3 fail ------------------------------------------------------------ sg-report-flight on woking.cam.xci-test.com logs: /home/xc_osstest/logs images: /home/xc_osstest/images Logs, config files, etc. are available at http://www.chiark.greenend.org.uk/~xensrcts/logs Test harness code can be found at http://xenbits.xensource.com/gitweb?p=osstest.git;a=summary Not pushing. ------------------------------------------------------------ commit a489633284ce1e7d6e48011f198e71351213ecb2 Author: Jan Beulich <jbeulich@suse.com> Date: Tue Oct 22 12:07:40 2013 +0200 x86-64: check for canonical address before doing page walks ... as there doesn''t really exists any valid mapping for them. Particularly in the case of do_page_walk() this also avoids returning non-NULL for such invalid input. Suggested-by: Andrew Cooper <andrew.cooper3@citrix.com> Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Keir Fraser <keir@xen.org> master commit: 6fd9b0361e2eb5a7f12bdd5cbf7e42c0d1937d26 master date: 2013-10-11 09:31:16 +0200 commit f17eab34ef3d53920816771f4ab5f907160e6ca6 Author: Jan Beulich <jbeulich@suse.com> Date: Tue Oct 22 12:06:43 2013 +0200 x86: add address validity check to guest_map_l1e() Just like for guest_get_eff_l1e() this prevents accessing as page tables (and with the wrong memory attribute) internal data inside Xen happening to be mapped with 1Gb pages. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper@citrix.com> Acked-by: Keir Fraser <keir@xen.org> master commit: d06a0d715ec1423b6c42141ab1b0ff69a3effb56 master date: 2013-10-11 09:29:43 +0200 commit 0f72e5d7608e01a79f26a8601a3ea289fa52589f Author: Jan Beulich <jbeulich@suse.com> Date: Tue Oct 22 12:05:45 2013 +0200 x86: correct LDT checks - MMUEXT_SET_LDT should behave as similarly to the LLDT instruction as possible: fail only if the base address is non-canonical - instead LDT descriptor accesses should fault if the descriptor address ends up being non-canonical (by ensuring this we at once avoid reading an entry from the mach-to-phys table and consider it a page table entry) - fault propagation on using LDT selectors must distinguish #PF and #GP (the latter must be raised for a non-canonical descriptor address, which also applies to several other uses of propagate_page_fault(), and hence the problem is being fixed there) - map_ldt_shadow_page() should properly wrap addresses for 32-bit VMs At once remove the odd invokation of map_ldt_shadow_page() from the MMUEXT_SET_LDT handler: There''s nothing really telling us that the first LDT page is going to be preferred over others. Signed-off-by: Jan Beulich <jbeulich@suse.com> Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Keir Fraser <keir@xen.org> master commit: 40d66baa46ca8a9ffa6df3e063a967d08ec92bcf master date: 2013-10-11 09:28:26 +0200 commit 29de283bdb3f547030012c4a4486e59e3d53fa27 Author: Daniel De Graaf <dgdegra@tycho.nsa.gov> Date: Tue Oct 22 12:04:43 2013 +0200 forbid PV guest console reads The CONSOLEIO_read operation was incorrectly allowed to PV guests if the hypervisor was compiled in debug mode (with VERBOSE defined). Reported-by: Jan Beulich <jbeulich@suse.com> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> master commit: 65ba631bcb62c79eb33ebfde8a0471fd012c37a8 master date: 2013-10-04 12:51:44 +0200 commit 707aec94c54127ebfda7d0f8455ecbb332ee49f0 Author: Andrew Cooper <andrew.cooper3@citrix.com> Date: Tue Oct 22 12:04:01 2013 +0200 x86/percpu: Force INVALID_PERCPU_AREA into the non-canonical address region This causes accidental uses of per_cpu() on a pcpu with an INVALID_PERCPU_AREA to result in a #GF for attempting to access the middle of the non-canonical virtual address region. This is preferable to the current behaviour, where incorrect use of per_cpu() will result in an effective NULL structure dereference which has security implication in the context of PV guests. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Keir Fraser <keir@xen.org> master commit: 7cfb0053629c4dd1a6f01dc43cca7c0c25b8b7bf master date: 2013-10-04 12:24:34 +0200 commit bb3e0cc28ba3d519ca78a4ce19ff6493b496aeee Author: Andrew Cooper <andrew.cooper3@citrix.com> Date: Tue Oct 22 12:03:03 2013 +0200 x86/idle: Fix get_cpu_idle_time()''s interaction with offline pcpus Checking for "idle_vcpu[cpu] != NULL" is insufficient protection against offline pcpus. From a hypercall, vcpu_runstate_get() will determine "v ! current", and try to take the vcpu_schedule_lock(). This will try to look up per_cpu(schedule_data, v->processor) and promptly suffer a NULL structure deference as v->processors'' __per_cpu_offset is INVALID_PERCPU_AREA. One example might look like this: ... Xen call trace: [<ffff82c4c0126ddb>] vcpu_runstate_get+0x50/0x113 [<ffff82c4c0126ec6>] get_cpu_idle_time+0x28/0x2e [<ffff82c4c012b5cb>] do_sysctl+0x3db/0xeb8 [<ffff82c4c023280d>] compat_hypercall+0xbd/0x116 Pagetable walk from 0000000000000040: L4[0x000] = 0000000186df8027 0000000000028207 L3[0x000] = 0000000188e36027 00000000000261c9 L2[0x000] = 0000000000000000 ffffffffffffffff **************************************** Panic on CPU 11: ... get_cpu_idle_time() has been updated to correctly deal with offline pcpus itself by returning 0, in the same way as it would if it was missing the idle_vcpu[] pointer. In doing so, XENPF_getidletime needed updating to correctly retain its described behaviour of clearing bits in the cpumap for offline pcpus. As this crash can only be triggered with toolstack hypercalls, it is not a security issue and just a simple bug. Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com> Acked-by: Keir Fraser <keir@xen.org> master commit: 0aa27ce3351f7eb09d13e863a1d5f303086aa32a master date: 2013-10-04 12:23:23 +0200 (qemu changes not included)